The vast majority of studies on the underground economy focus on the economics of the products of an attack (e.g. number of infected systems, stolen records, CCNs, ..), whereas a comprehensive characterization of the economics of attack production is still missing: we need to investigate the full picture of attack production and adoption.

Research at the TU/e security group aims at answering foundational as well as empirical questions on attack scaling and commodification:

What are the dynamics of exploit commodification and adoption?

How are these markets operating, what makes them sustainable from an economic perspective, and which mechanisms drive technological innovation in traded products?

How does the risk profile of an exploit change once the exploit is traded in a market? Can we pinpoint economic and technical characteristics that affect the risk of attacks at scale driven by that exploit?

Market selection and infiltration

Criteria for market evaluation. It is important to rst evaluate whether the selected market is a credible candidate for analysis, or is yet another example of many ‘scam-for-scammers’ underground forums. We performed an analysis of the markets’ economic mechanisms (e.g. addressing information asymmetry, adverse selection, and moral hazard), traded goods, and participation, reported in (Allodi et al. TETCS 2016). A summary of selection criteria is reported below:

Cr.1 Enforcement of market regulation mechanisms; market mech- anisms enforcing market rules, such as punishment for rippers or presence of trade guarantors or escrows are known to be central to address foundational problems that cripple the economics of cybercrime markets and hinder product quality.

Cr.2 Evidence of trade. We evaluated face evidence of actual trad- ing activity in the market. Accounting for indications from economic literature, we investigate trade-related feedback from market participants, discussions in the market threads, product evolution, and type of market interactions.

Cr.3 Presence of prominent attack tools reported by the industry. For a market to be technologically interesting we would expect to find products, players, and infection technologies reported by the industry (e.g. exploit kits, malware campaigns, malware vendors, ..).

(Allodi et al. TETCS 2016) reports a comparison of selection criteria for a working Russian market (RuMarket) and a failed German market. The two images below report, as an example, a comparison of the reputation level by user group in the two markets.

The boxplots report reputation levels in the failed market (left) and working market (right) by user group. User groups map levels of membership in the market and are ordered in the plots by increasing trustworthiness as explicitly specified in the market regulations. It is immediately apparent that reputation mechanism in the failed market failed to provide a sound signalling mechanism for trustworthy users, as banned users have on average a higher reputation than normal users. The mapping between user trust and reputation level is clearly more meaningful in the working market (plot on the right), for which the reputation mechanism appears to be at least coherent in identifying reputable market players.

Exploit trading

In the paper Economic Factors of Vulnerability Trade and Exploitation we provide the first insights into the economy of exploit production and adoption at scale. Through infiltration of a prominent Russian cybercrime market (RuMarket), we provide figures on exploit appearance and pricing, portfolio updates, and relation with odds of exploitation in the wild.

The figure on the left reports the appearance of exploits in RuMarket for Adobe, Microsoft, and Oracle products from 2010 to 2017 (data is right-censored at April 2017, hence the apparent drop). Around the emergence of exploitation-as-a-service in 2010-2012 (as reported by Grier et al. at ACM CCS 2012) we observe an initial spike in published exploits, followed by a relative drop and a stable production rate following year 2014. Anecdotally, it is interesting to observe that the reported trend closely matches that of the Gartner's Hype Cycle for the introduction of new technologies on the market. It is also interesting to observe that following 2013 all Oracle (Java) exploits disappear: in 2013 major web browsers blocked internet plugins and Oracle raised the baseline security measure of the Java plugin, requiring user interaction for activation, a feature that cyber-criminal reportedly do not like as it increases the visibility of the attack.

Further, we find a clear relation between market dynamics and exploitation at scale.

The figure above reports exploit package cost (left) and market activity (right) against presence of exploit at scale. Even by just looking at the descriptive statistics in the boxplot it is apparent that higher prices hinder odds of exploit adoption, and that the opposite is true for market activity. A more formal analysis of these aspects is provided in the paper.

Attacker models

The observation of the economic background of the attacker calls for new models of attacker decisions. A critical aspect of this is exploit introduction, i.e. when will an attacker decide to update their portfolio and introduce a new attack at scale.

The figure above reports the rate at which already-attacked users receive attacks targeting the same vulnerability (red line) or a different vulnerability (black dotted line). The data comes from the WINE platform at Symantec. The trend is measured in days; as shown in the figure, it takes approximately 2 years for an exploit to be substituted at large in the wild by a different exploit. This points in the same direction as data collected in the underground markets, and suggests that attackers are “lazy” or, in economic terms, work averse in that they see additional exploitation work as a overhead in the attack process: as long as an exploit works against a significant fraction of users in the wild, attackers are unlikely to update their portfolio.